- As a CI/CD pipeline step that fails the build on non-compliance
- Through the Kosli API for custom tooling
- Via a Kubernetes admission controller that rejects non-compliant pods
Assertion scopes
kosli assert artifact (and its API equivalent) supports three assertion modes:
--environment and --policy are mutually exclusive.
--flow can be combined with any mode to narrow the lookup to a specific flow. Without --flow, all flows containing the artifact (by fingerprint) are considered.
See kosli assert artifact for the full flag reference.
Enforce in CI/CD pipelines
Addkosli assert artifact as a step before your deployment step. If the artifact is non-compliant, the command exits with a non-zero status and the pipeline fails.
Assert against an environment
Check all policies attached to the target environment:- GitHub Actions
- GitLab CI
Assert against specific policies
Check one or more named policies directly. This is useful when gating a promotion between stages or checking policies that are not attached to an environment:Enforce via the API
For custom deployment tooling or non-CI contexts, call the assert endpoint directly:- EU
- US
compliant—trueorfalsepolicy_evaluations— detailed results per policy (when asserting against an environment)compliance_status— per-attestation compliance breakdown
- EU
- US
Enforce with a Kubernetes admission controller
A Kubernetes validating admission webhook can call the Kosli assert API when a pod is created and reject pods whose images are non-compliant. The flow is:1
Pod creation triggers the webhook
Kubernetes calls your admission webhook before scheduling the pod.
2
Webhook extracts the image fingerprint
The webhook reads the container image reference from the pod spec and resolves its SHA256 digest.
3
Webhook calls the Kosli assert API
The webhook sends a request to the assert endpoint with the fingerprint and the target environment name.
4
Webhook returns allow or deny
If
compliant is true, the pod is admitted. If false, the webhook rejects the pod with a message explaining which policy requirements were not met.What happens on failure
CLI: A non-compliant artifact causeskosli assert artifact to exit with a non-zero code. CI/CD pipelines treat this as a failed step and stop the deployment. Use --output json to get machine-readable compliance details.
API: The response body returns compliant: false with a compliance_status object describing which attestations are missing or non-compliant, and policy_evaluations listing per-policy results.